In knowledge-based authentication (KBA), an organization questions someone for particular personal information. Such questions may include “where were you married?”, “what was the color of your first car?”, and “what was the name of your first pet?”. The person must answer the question correctly in order to prove to the organization that he or she is not an imposter.
In some situations, the person provides the organization with the answers to such questions up front (e.g., when opening an account with the organization). The organization is then able to save the answers, and re-ask one or more of the questions to authenticate the person at a later time.
In other situations, the organization may work with a KBA service provider. In these situations, when the organization wishes to authenticate a person, the organization identifies who the person claims to be to the KBA service provider. The KBA service provider then retrieves previously gathered data on the person from one or more information sources (e.g., credit agencies, public records, commercially available information regulated by the Gramm, Leach, Bliley Act, etc.) and provides, to the organization, an appropriate set of questions based on that gathered data. Next, the organization asks the person one or more of the questions and relays each answer back to the KBA service provider. The KBA service provider then evaluates each provided answer and provides the organization with an authentication result (e.g., “passed authentication” or “failed authentication”).